Is IT Ignorant When It Comes To Compliance?

Sure, IT professionals know about technology. But they don’t know a lot about caring for patients, explains Angela Bazigos, FDA IT compliance expert and CEO of Touchstone Technologies. So, she argues, let’s keep governance and compliance in the hands of the people who know the most about regulating sensitive data.

In a heated meeting with the Associate Director of IT at a former client, I explained that the technology his organization had selected would cause the client to overlook Serious Adverse Drug Reactions (SADRs). As their drug was lethal in elevated doses, patients might die as a consequence. He objected. “This technology is cheaper, and we are saving the company money by going with this vendor,” the client continued. “That’s what’s important here!”

After I picked my jaw off the floor, I explained to him that:

We are all patients waiting to happen!

Patient deaths would result in the company needing to deal with fines, product recalls, sanctions, company closures, and lawsuits. Even if the business saved a few hundred thousand dollars in technology costs, it would end up paying millions or billions of dollars in damages.

He continued to insist on his technology choice. This guy was not unsympathetic or a sociopath. He was, however, much more focused on the immediate benefits rather than the long term consequences.

Unfortunately, my former client is not the only one with these mistaken perceptions. IT professionals are trained to look at technology’s benefits and how it can be used. But they are not trained to think about patients — so I can’t exactly blame them.

My experience with many IT professionals, even very senior ones, is an attitude that regulations are onerous and a chore. Worse, IT professionals often lack understanding of the link between regulations and patient safety and product quality. The overwhelming majority seem to try to ignore or at least get around regulations. I understand how this individual got where he did, and the motivations behind his opinion.

In contrast, those who come from industries that are involved with living beings are familiar with the guidelines set by regulatory agencies appointed by the government to ensure consumer and animal safety. In the life sciences industry (encompassing pharmaceuticals, biotech, and medical devices) as well as in healthcare (doctors and hospitals), very rigorous regulations specify how something should be implemented. This is to ensure patient safety and the quality of the product (be it a drug or medical device).

To err is human; to foul things up completely, you need a computer

To explain IT’s apparent lack of understanding about regulatory guidelines, let me set some historical context. In 1983, an intrepid FDA inspector wrote a thoughtful paper explaining computer systems to his colleagues. He described keyboards, punch cards, and printers, and explained how they were now linked together. The inspector found that people could write programs to answer a question about a patient in minutes instead of weeks. The inspector was very impressed with this, and closed his paper with the prophetic statement: “It is possible that in the future, many companies, including smaller ones, will have a computer.”

In an effort to continue ensuring patients and public safety, in the 80s the FDA began to insert statements in its Regulations and Guidances to address any stray computers that might be used in the industry. Predicate rules started including statements such, “The system should be carefully calibrated to function as required.” This allowed regulations and guidances to address computers without specifically mentioning them. This way regulations could remain valid whether or not you had a computer.

Within a decade, electronic health records and electronic signatures were used across the life sciences industry, replacing paper records and “wet” signatures. The FDA responded by working with eight companies to prototype a guidance for IT to follow regarding Electronic Records and Electronic Signatures (ERES). (It also worked on a guidance called “General Guidance for Software Validation,” which would be the subject of another article.)

I was one of the people tasked with prototyping these guidances. We were diligent in determining what to include. Both guidances were very “down to earth” and expected no more of handling your data than you would expect of handling your bank statements and Bluetooth connectivity (we used garage door openers as an example, back then, as Bluetooth had not yet been invented). Those early examples included ensuring your data is protected (Would you want to lose your bank data?), that the right people used them (Would you like your neighbors to use your bank data?), that when two systems talked to each other they only talked to approved systems (Would you want your Bluetooth to be picking up others’ conversations? Or your garage opener to open another’s garage?).

We were justifiably pleased with the balanced guidances (still in existence, today, though updated) that could help organizations ensure patient safety and product quality, while enabling a sustainable and scalable use of technology.

Fast-forward a couple of decades: computers are now an essential and fundamental part of running a life sciences company. My expectation, and the expectation of other regulatory bodies, is that those guidances should be followed to the letter!

There’s a difference between knowing the regulations and following them

In reality, IT colleagues often tell me that they cannot follow the regulations because they do not have enough time and they don’t have enough money to hire more personnel. I explain that this is like them saying they were not able to fill out their tax forms because they did not have enough time, and they were not able to pay their taxes because they did not have enough money. This happens a lot in real life; but just as in real life, not filing or not paying your taxes results in bad things. The same goes for not following regulations. The “bad things” can include humongous fines (in the billions of dollars), facility closures, product recalls, incarcerations, and stock value drops. You do not want to bring such negative consequences to your company.

Back to my former client: after long, often emotional and time-consuming discussions, they understood that they needed to follow regulations. I explained that we needed to ensure that they are trained in the relevant tasks. But then they told me they don’t have enough time to be trained, even though it’s against the law to perform certain tasks without such training. Eventually, we executed the appropriate training.

If you think that resulted in a successful outcome: not so fast! IT proceeded to perform the task following the letter of the law, but not the spirit of the law. For example, this client insisted it made more sense to have SaaS providers receiving patient data, even though those providers were not compliant with regulations. Their intent was to avoid having to train their staff and hiring personnel who understood regulations. I explained that this was like having a hospital staffed with IT people instead of doctors and nurses. Nobody wants that.

Second, these SaaS providers were not compliant. There seemed to be very strong apathy when it came to connecting the importance of regulations with patient safety.

Further, the client agreed to follow regulations, but only half-heartedly. For example, they tested backup and restore function to begin with, as required by regulations, but they did not comply with the periodic review that is also required as industry best practices. When I audited the organization, I discovered that they initially allocated 10GB of storage space, but their data had grown to 15GB. So every nightly backup was losing a third of the company’s data. Beyond compliance, that was a data-loss nightmare waiting to happen.

There seems to be a very high barrier for IT pros to understand the need and more importantly the usefulness of regulations. I don’t know if this is because many IT people come from industries without patients or whether it’s because these people just do not see patients on a day-to-day basis. I recommend that IT people should not be hired — at the very least at life science companies — until they have passed an exam on IT regulations (yes, backups are very important and they need to be done correctly!) and that the staff who work in life sciences should be required to visit patients as part of an IT rotation. Perhaps then the disconnect will disappear.

IT is like electricity for a company: the company does not function without it. IT people are smart, dedicated, innovative, and want to learn. Yet we still have this lack of shared understanding. I am very open to hearing suggestions as to why that is and what can be done about it. Please respond to this blog with your suggestions.

In the meantime, even if you are not a patient today, I hope the planes, trains, and automobiles that you use every day are regulated! (Hint: They are.)

Interested in more on this topic? Download our new white paper: Finding The Right Prescription for Effective Life Science Data Governance.

Interested in learning more about Druva’s single dashboard for backup, availability and governance? Check out these popular resources: